2 matches found
CVE-2024-5386
CVE-2024-5386 affects lunary-ai/lunary version 1.2.2, where a password reset token leak enables account hijacking. A user with the low-privilege viewer role can trigger a response that returns a recoveryToken, which can be used to reset another user’s password without authorization. The root caus...
CVE-2024-4151
CVE-2024-4151 affects lunary-ai/lunary 1.2.2. The issue is an improper access control in handling of PATCH and GET requests for template versions, allowing unauthorized users to view and update prompts across any project. Root cause: insufficient access checks in request handling leading to cross...